Network Compromise Assessment (NCA)
An NCA engagement is essentially a temporary deployment of the TADS service, this consists of installing portable versions of the TADS equipment on a Client’s site in a position where the equipment will be able to capture network traffic; most commonly ingress and egress traffic, although under certain circumstances it may be appropriate to monitor inter-network traffic.
Once the equipment is installed, one or more consultants will remain onsite to analyse the Client’s network traffic in as near to real time as possible. This process begins with a baseline analysis phase that is designed to filter out legitimate business traffic so that the analysis can concentrate on the traffic that is more likely to contain suspicious data. When the consultant observes any network traffic which includes an indication of compromise (IoC) the consultant will work with the Client’s I.T. staff to further investigate and track down the source of the suspicious network traffic.
Once the source of the suspicious network traffic (usually
an infected host) has been identified the onsite consultants will liaise with
the Client to recommend short term mitigation strategies (long term mitigating
strategies will be provided in the final report which is normally produced
offsite at the end of the engagement) along with detailing further
investigation options for which Context can be engaged as supplemental tasks
(for example host based forensic investigations, malware reverse engineering,
or log analysis).